This branch expands ALIAS to the backend A/AAAA on AXFR. It also adds some testing (but the DNSSEC tests are broken because of it).
Thanks @Habbie! This is going to be very useful for a lot of people :-)
Can you explain the semantics of make ALIAS expansion in AXFR optional? I think you mean:
make ALIAS expansion in AXFR optional
Is that correct?
Hi Nick, yes, that is my thinking for the three options! Note that for 'reject' the refusal may come halfway and thus in the behavioural sense that will be like 'failing the AXFR' on the yes side of things. Client are expected to deal with this by not replacing their local copy of the zone at all.
@nickmarden I have added the flag but it's a bool for now, missing the refuse option. Does that seem fine to you?
Sounds great to me. I'd definitely be using the yes value, not the refuse value :-)
@Habbie, I see that a related issue is tagged auth-4.0.0, but I was wondering if there is an ETA for this PR to be on PowerDNS master?
@nickmarden as I may have mentioned to you (or not), the getaddrinfo-based infrastructure in this PR is unreliable, it does not tell me the difference between 'everything is terrible' and 'name does not exist'. To fix this, I have done some refactoring in #3802 so the ALIAS code can also use a reliably resolver. This was merged a few days ago, and I need to update this PR to use that code. After that (should be sometime next week) I feel we can merge this as it will make everything just a lot better. There are some nits on #3808, and for ALIAS purposes the 'this seems optimistic' bullet (currently the 4th one) in #3808 might be relevant, but that's incremental work.
TLDR I hope to finish and merge this PR sometime next week :)
OK thanks @Habbie - I now understand the dependencies and timeline better. Godspeed!
pass more arguments down from cleandig to sdig
test A/AAAA with alias
add failing MX ALIAS test
only do backend ALIAS query for ANY/A/AAAA;
don't return useless backend SOA (but now we sometimes return no SOA at all);
don't return ALIAS itself even when asked for directly
skip ALIAS dnssec testing for now
allow skipping DNS/UeberBackend lookup in FindNS
synthesise ALIAS during outgoing AXFR
skip unbound-host because ALIAS does not support DNSSEC on direct que…
remove bogus skip.nodnssec files, they did the opposite of what i wanted
make ALIAS expansion in outgoing AXFR optional
enable axfr alias expansion in gsql test
change axfr-time ALIAS expansion to use stubDoResolve; catch errors
skip ALIAS tests for various backends
Expecting travis to go green any second. Reviews welcome. Note that not all bullets at the top have been fixed - this is fine, they will go into a new ticket. As far as I can tell this PR is a strong improvement over the existing situation and more polish will be applied after user testing.
@Habbie I'm not sufficiently familiar with the PowerDNS internals to offer useful commentary on most of the code changes, but the new option outgoing-axfr-expand-alias is exactly as we've discussed and so I give that a hearty 👍